How to Replace a Certificate in Bastion?

To change the Bastion certificate you need to edit your bastion.xml file located at:

Agat/Bastion/bastion.xml

In each listener you have configured you should look at the certificates tag:

  • caBundleFile - path to the certificate authority bundle file (if you want to use SSL from Bastion to  the published server)
  • caCertsDirPath - path to the certificate authority files (if you want to use SSL from Bastion to the published server)
  • ignoreUpstreamCertificatesErrors - whether or not published certificates should be verified
  • path - the certificate location that the Bastion will present to clients
  • privatekey - the private key location related to the certificate
  • intermediateCaChain - path to intermediate ca bundle file

You can configure the certificate in a few ways:

  • Use a .pfx file containing both the public and private key (in that case you do not need enter in privatekey tag)
  • Use separate files for the certificate and the private key.
  • Use a certificate installed in your local machine certificate store (as shown in the picture). In that case you do not need to enter a value to the privatekey tag.
    The path should look like:

store:/LocalMachine/My/#667B3CC8ADF2B13BB9F4BF258F3232C337EE3389

         For the store name you can use:

  • LocalMachine
  • CurrentUser
  • CurrentService

         For each one of those you can use:

  • MY
  • ROOT
  • TRUST
  • CA

         # Marks that the following is thumbprint of the certificate found in the relevant store.
            You can find the thumbprint by opening the certificate and going to the details tab, there you should look for the Thumbprint field: